Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

rockfish mcp

Start an MCP (Model Context Protocol) server for AI-powered queries on Parquet data.

Overview

The MCP server exposes Parquet data to AI assistants and LLM toolchains using the Model Context Protocol. It provides query tools for data exploration and hunt tools for threat detection.

Usage

rockfish mcp [OPTIONS]

Transport Modes

ModeUse Case
stdio (default)Claude Desktop, local tool integration
httpWeb clients, remote access
 
# stdio mode (default)
rockfish mcp

# HTTP mode
rockfish mcp -t http --host 0.0.0.0 --port 3000

Built-in Tools

Query Tools

ToolDescription
queryQuery with SQL filters and column selection
aggregateGroup and aggregate data
sampleGet random sample rows
countCount rows with optional filter
schemaGet column names and types
list_sourcesList configured data sources

Hunt Tools

ToolDescription
detect_beaconingFind C2 beacon patterns
detect_lateral_movementTrace internal attack chains
detect_c2_fanoutIdentify C2 fan-out patterns
detect_port_scanFind port scanning activity
detect_communitiesDiscover botnet-like clusters
detect_dns_tunnelingFlag DNS tunneling indicators
detect_data_exfiltrationFind data exfiltration patterns

Options

OptionDefaultDescription
-t, --transportstdioTransport mode: stdio or http
--data-dirfrom configOverride data directory
--sensorfrom configOverride sensor name
--no-hiveDisable hive partitioning
--host127.0.0.1HTTP server host
--port3000HTTP server port

Authentication

HTTP mode supports JWT token authentication and OAuth2. See the MCP authentication documentation for configuration details.

Examples

# Start MCP server for Claude Desktop
rockfish mcp --data-dir /data/rockfish --sensor prod-01

# HTTP mode for web clients
rockfish mcp -t http --host 0.0.0.0 --port 3000 \
  --data-dir /data/rockfish --sensor prod-01